your systems friend to secure empire – your best - jared and will.pdf · python!) based remote...
TRANSCRIPT
Empire – Your best Friend to Secure Your Systems
@harmj0y@jaredcatkinson
I am @harmj0yOffensive Engineer and Red Teamer
Developer: Veil-Framework, PowerView, PowerUp, Empire/Empyre, BloodHound
Speaker: DEF CON, BlueHat IL, DerbyCon, et al.
Other: Microsoft PowerShell/CDM MVP, BlackHat Trainer
Hello!
I am @jaredcatkinsonForensicator, Incident Responder, and Hunter
Developer: PowerForensics, Uproot IDS
Speaker: 44CON, BSides DC, PowerShell Summit, PS Conference EU
Other: U.S. Air Force Hunt Team, Microsoft PowerShell/CDM MVP, BlackHat Trainer
Hello!
Offensive and Defensive Philosophy
Building an Empire
Uprooting the Adversary
PowerForensics
Demos!
tl;dr
Offensive and Defensive Philosophy
1
“
“Fundamentally, if someone wants to get in, they’re getting in…accept
that. What we tell clients is: Number one, you’re in fight,
whether you thought you were or not. Number two, you almost
certainly are penetrated.”
Michael HaydenFormer Director of NSA & CIAMicrosoft Enterprise Cloud Red Teaming Whitepaper
◉ For offense:○ Focus on post-exploitation○ “Blend with the noise” to slip under the blue team’s
detections
◉ For defense:○ Proactively hunt for malicious actors○ “Blend with the noise” to slip under the actor’s
detections
“Assume Breach”
◉ Focus on blending in with normal host and network actions
◉ For offense:○ Utilize built in capabilities○ Powershell.exe, WMI, msbuild, netsh, etc.
◉ For defense:○ WMI, ETW○ Raw disk handles to minimize the trust required for
other build in actions that may tip your hand
Living Off the Land
◉ “Microsoft’s post-exploitation language” -@obscuresec
◉ PowerShell provides, out of the box:○ Full .NET access○ Direct access to the Win32 API○ Ability to assemble malicious (or defensive) binaries
and capabilities in memory○ Default installation on Windows 7+!
Why PowerShell?
◉ We want to show how to how PowerShell can be used to both break and secure your enterprise systems
◉ We will walk through some of PowerShell Empire’s offensive capabilities, Uproot’s intrusion detections, and using PowerForensics’ post-analysis abilities
Our Goal
Building An EmpireWith PowerShell
2
◉ Empire would not be possible without the help and phenomenal work from:○ PowerSploit by @mattifestation, @obscuresec and
@JosephBialek○ Posh-SecMod by @Carlos_Perez○ UnmanagedPowerShell by @tifkin_○ Mimikatz by @gentilkiwi and Vincent LE TOUX
◉ Everyone who contributed modules, bugs, fixes, and time! You all rock!
First Things First
What Is Empire?
◉ Empire is a fully-featured PowerShell (and Python!) based remote access trojan (RAT) released at BSides LV 2015
◉ Provides a rich set of post-exploitation actions in line with the “assume breach” philosophy
Why Build This?
◉ Started as a thought exercise!
◉ We wanted to:○ Provide a rapidly extensible platform to integrate
offensive/defensive PowerShell work○ Build a platform that’s easily customizable○ Train defenders on the capabilities of offensive
PowerShell!
^ the guy who invented PowerShell
◉ Asynchronous communications○ GET/POST tasking structure
◉ We care about crypto!○ “Perfect forward secrecy” w/ encrypted key exchange
◉ Modularity○ Common module format w/ a variety of options○ Post-exploitation modules can be loaded and removed
live
Empire Design Decisions
Empire Capabilities
◉ code_execution - ways to run more code◉ collection - post exploitation data collection◉ credentials - collect and use creds◉ lateral_movement - move around the network◉ management - host management and auxiliary◉ persistence - survive the reboot◉ privesc - escalation capabilities◉ situational_awareness - network awareness◉ trollsploit - have fun with defenders :)
Empire 2.0
Empire/EmPyre
Wanted one single controller for our Python Linux/OS X agents and PowerShell agents.
Modularize C2
Expandable listeners that you can drag/drop into the framework for additional transports.
Code Rot
Fix our past mistakes and build a foundation for the future viability of the project.
Modular C2
◉ Previously, listeners were hard integrated into the code base, adding transports was extremely difficult
◉ Now listeners are encapsulated in self-contained modules○ Allows you to drag/drop modules into the
framework just like post-exploitation modules
◉ Can even use third-party sites like...
Uproot IDS3
WMI Introduction
◉ Windows Management Instrumentation◉ Microsoft’s Implementation of Common Information
Model Standard◉ Allows administrators to query system information:
○ System○ Applications○ Hardware○ Networks
◉ PowerShell allows simple interface○ Get-WmiObject○ Get-CimInstance
WMI Event Subscriptions
◉ WMI interface for monitoring changes to the model◉ Classes built specifically for event monitoring◉ Subscriptions are persistent
○ Maintained in the WMI Repository
◉ Built with troubleshooting in mind, but:○ Attackers leverage for persistence○ Defenders leverage for Intrusion Detection
◉ Three parts to a subscription:○ Filter○ Consumer○ Binding
Uproot Introduction
◉ Intrusion Detection System Leverages WMI Permanent Event Subscriptions to detect:○ General System Information○ Introduction of Persistence○ Lateral Movement
◉ Abstracts complexity of permanent WMI Event Subscriptions○ Register-PermanentWmiEvent
◉ Reports Events via:○ Windows Event Log (Ideal)○ HTTP POST (Splunk or ELK)○ Flat Log File
◉ Real time monitoring (Push vs. Pull)○ Pull - Query data from a centralized point ○ Push - Endpoint agent sends data to centralized location
◉ Removes blind spots between “pulls”◉ Monitoring is distributed to endpoints instead of server◉ Requires some sort of presence (agent) on the endpoint◉ Built in monitoring capabilities
○ WMI Event Subscriptions○ Event Tracing for Windows (ETW)
Intrusion Detection
Basics - Filter
◉ __EventFilter○ defines the event to detect using WMI Query Language (WQL)
◉ Event filter example:○ SELECT * FROM Win32_VolumeChangeEvent WHERE EventType = 2○ SELECT * FROM Win32_ProcessStartTrace WHERE ProcessName LIKE
'%chrome%'○ SELECT * FROM __InstanceModificationEvent WITHIN 5 WHERE
TargetInstance ISA 'Win32_Service' and TargetInstance.State = 'Running‘○ SELECT * FROM __InstanceCreationEvent WITHIN 10 WHERE
TargetInstance ISA 'Win32_StartupCommand'
Basics - Consumer
◉ __EventConsumer○ ActiveScriptEventConsumer
■ runs a predefined script in an arbitrary scripting language○ CommandLineEventConsumer
■ starts an arbitrary process in the local system○ LogFileEventConsumer
■ writes customized strings to a text log file○ NTEventLogEventConsumer
■ logs a specific message to the operating system event log○ SMTPEventConsumer
■ sends an email message by using Simple Mail Transfer Protocol (SMTP)
Basics - Binding
◉ __FilterToConsumerBinding○ Registration of permanent event consumers to relate an instance
of the __EventConsumer to an instance of __EventFilter
Binding
Filter Consumer
Forensicating with PowerShell
4
◉ PowerShell Module for Live Forensic Investigation◉ Binary Module (Compiled C# DLL)◉ Minimizes Use of Operating System APIs◉ .NET Core Compatible (Windows, MacOS, *nix)◉ Currently Parses:
○ NTFS and FAT Data Structures○ Windows Specific Data Structures
■ Windows Registry■ Windows Event Log■ Scheduled Jobs■ Prefetch Files
PowerForensics Introduction
Design Decisions
◉ Forensically sound◉ Parse raw disk structures◉ Don’t alter NTFS timestamps◉ Can execute on a live (running) host◉ Operationally fast
○ Collect forensic data in seconds or minutes
◉ Modular capabilities○ Cmdlets perform discrete tasks and can be tied together for
more complicated tasks
◉ Capable of working remotely
Getting the Data
◉ Create read handle to Physical Disk/Logical Volume○ CreateFile API (Windows)○ Open API (Mac/*nix)
◉ Read from the Handle○ FileStream Read Method
Forensic Timelining
◉ Investigate file system activity temporally◉ Aggregate artifacts from different sources:
○ Master File Table○ UsnJrnl○ Registry○ Prefetch○ Event Logs
PowerForensics Portable
◉ Allows PowerForensics to be run on remote system◉ Loads the PowerForensics Assembly in Memory◉ Assembly exposes public API to query data
Attacking and Defending with PowerShell
5
Other Detections
PreviousTalks
http://bit.ly/2kFItwg
Any questions ?You can find us at
◉ @harmj0y (will [at] harmj0y.net)◉ @jaredcatkinson (jared [at] invoke-ir.com)
Thanks!